Hi everyone!
Is there any possibility to filter in the IP-V4-Firewall rules for VLANs?
Everything I found is filtering for Interfaces - but broadcasts enter the firewall with Bridge(EthernetPort), though the VLAN-Tag is inside the packet I found nothing to filter for it. Only a mangle-rule in the bridge could mark the packet as VLAN100, and than I can match for the Packet Mark. Is there a simple Firewall-Match for it like "Ingress Priority", which maches only the first 3 bit of the VLAN-Tag-Field?
In the wiki everything I found was filtering for IPs - if they are my dhcp-lease, everything fine - but when anyone comes with an own IP, given by himself, maching one of my other VLANs? He would act like coming from that VLAN. I would like to test whether a packet coming from a VLAN has an IP bound to that specific VLAN.
Re: Filtering VLANs
Sorry, I am not aware of such functionality, but my knowledge is limited, hopefully others will chime in with more definitive answers, patience!!
Re: Filtering VLANs
I'm not sure I get right what you actually want to achieve and how broadcasts are related. ip(v4) firewall rules affect packets which are routed by the machine; to affect frames which are bridged, you need bridge filter/bridge nat rules.
To get routed, the packet must arrive within a frame with a destination MAC address of the router's own interface, and if it has a VLAN tag, an /interface vlan row with the same VLAN tag must exist in the router, and some IP configuration must be attached to it, in order that the packet could be extracted from the tagged frame and handled by routing.
So for the ip firewall, the VLAN ID from the VLAN tag of a received frame translates to an in-interface name. I.e. if you want to prevent a packet with an allowed source address from being handled if it comes in with a wrong VLAN ID, your ip firewall rules must match on both src-address(-list) and in-interface.
For bridging the frames between bridge ports, you should use /interface bridge filter, which can match on vlan-id. But currently (6.46.7 as long-term as of writing this) it is unfortunately impossible to match on IP fields of VLAN-tagged frames.
If you use /interface bridge settings use-ip-firewall=yes, which is normally only necessary if you want to apply QoS handling on bridged packets (but it breaks other things), then yes, you have to assign packet-mark to the frames using /interface bridge filter rules depending on their vlan-id, and then match on that packet-mark value in the /ip firewall rules.
Matching on the priority field of the VLAN tag (CoS field) is possible directly in /ip firewall rules - the name of the match condition for that field is called priority. It is only defined for packets which came in with a VLAN tag or via wireless where WMM field bears the priority information.
To get routed, the packet must arrive within a frame with a destination MAC address of the router's own interface, and if it has a VLAN tag, an /interface vlan row with the same VLAN tag must exist in the router, and some IP configuration must be attached to it, in order that the packet could be extracted from the tagged frame and handled by routing.
So for the ip firewall, the VLAN ID from the VLAN tag of a received frame translates to an in-interface name. I.e. if you want to prevent a packet with an allowed source address from being handled if it comes in with a wrong VLAN ID, your ip firewall rules must match on both src-address(-list) and in-interface.
For bridging the frames between bridge ports, you should use /interface bridge filter, which can match on vlan-id. But currently (6.46.7 as long-term as of writing this) it is unfortunately impossible to match on IP fields of VLAN-tagged frames.
If you use /interface bridge settings use-ip-firewall=yes, which is normally only necessary if you want to apply QoS handling on bridged packets (but it breaks other things), then yes, you have to assign packet-mark to the frames using /interface bridge filter rules depending on their vlan-id, and then match on that packet-mark value in the /ip firewall rules.
Matching on the priority field of the VLAN tag (CoS field) is possible directly in /ip firewall rules - the name of the match condition for that field is called priority. It is only defined for packets which came in with a VLAN tag or via wireless where WMM field bears the priority information.
Re: Filtering VLANs
Thank you for your answers.
I got packets (here a non-broadcast):
(1)
or (broadcast, for many ports):
(2)
All Clients are seperated through VLANs, as in the moment they enter the LAN, they get their VLAN-Tag from the switch. What happens, if I give my PC, connected to VLAN2, an ip of VLAN1 by hand and let him address an PC in VLAN1? I want just to check all packets bevor forwarding wether their Packet has an IP from the right VLAN when they enter the firewall.
Both packets (1) and (2) did not get the VLAN-Interface, so a firewall rule like
does not match these packets.
Packets with in:VLAN-Interface I just see in input or output rules, just a very few in forward rules.
Matching on vlan-interface for the other packets did not work. Sadly most of the packets come from Uplinks, these are Trunk-Ports, they represent more than one VLAN.
As I think about it: Is this a possibility: Matching on the priority field? As the priority field allows 0-65535, this might be the 16 bit of the TCI: 3 Bit ToS, 1 Bit (CPI) = Zero and 12 Bit VLAN-ID. If every traffic has ToS Zero: Can I match on my VLAN with priority-field (VLAN * 16), VLAN 1 might be match on Priority 16, VLAN100 match on Priority 1600?
i think about something like
(Ok, this is not a working solution, as I need to test for src and dst-addresses to get incoming and outgoing packets in that Vlan, and do it positiv: accept with right VLAN and src-address or dst-address and drop the rest for this vlan, and a solution for broadcasts, multicasts and so on)
Anyone tested it with priorities? And if I allow other Priorities in the VLAN, I simply add them to this number? Or do I get difficulties, I do not expect? This might be a workaround for matching on VLANs without "packet-mark" in one IP(V4)-Firewall-rule.
I got packets (here a non-broadcast):
(1)
Code: Select all
forward: in:bridgeLeft(LAG1_Uplink) out:bridgeLeft(e4_PC1), src-mac b8:69:XX:XX:XX:XX, proto UDP, 192.168.10.2:67->192.168.10.64:68, len 328(2)
Code: Select all
forward: in:bridge_LAN(E0-sfp_Uplink) out:bridge_LAN(E10_AP5), src-mac 00:1b:XX:XX:XX:XX, proto UDP, 192.168.102.11:138->255.255.255.255:138, len 229Both packets (1) and (2) did not get the VLAN-Interface, so a firewall rule like
Code: Select all
action=drop chain=forward src-address=!192.168.10.0/24 in-interface=vlan1MasterPackets with in:VLAN-Interface I just see in input or output rules, just a very few in forward rules.
Matching on vlan-interface for the other packets did not work. Sadly most of the packets come from Uplinks, these are Trunk-Ports, they represent more than one VLAN.
As I think about it: Is this a possibility: Matching on the priority field? As the priority field allows 0-65535, this might be the 16 bit of the TCI: 3 Bit ToS, 1 Bit (CPI) = Zero and 12 Bit VLAN-ID. If every traffic has ToS Zero: Can I match on my VLAN with priority-field (VLAN * 16), VLAN 1 might be match on Priority 16, VLAN100 match on Priority 1600?
i think about something like
Code: Select all
action=drop chain=forward priority=1600 src-address=!192.168.100.0/24Anyone tested it with priorities? And if I allow other Priorities in the VLAN, I simply add them to this number? Or do I get difficulties, I do not expect? This might be a workaround for matching on VLANs without "packet-mark" in one IP(V4)-Firewall-rule.
Re: Filtering VLANs
I'd have to see your complete configuration - see my automatic signature right below. You say that the packets get tagged by the (external?) switch, but from the log messages it seems that the packets arrive without a VLAN tag, plus that you have multiple bridges set up. So the actual issue may be somewhere else than you expect.
Re: Filtering VLANs
Other than that, the priority match condition gets those three CoS bits alone, so the range of values is 0..7.
Re: Filtering VLANs
Really? It's more than 600 lines, the whole configuration. Ok, I like to see other configurations, so why not showing mine as a working configuration...
The two bridges are in the RB3011, one for the left switch chip with vlan, the other for the right switch chip without vlan and filtering, so that the right ports can be connected with hardware offload.
I have some other networks with RB4011s, there I have just one bridge, but the same problem.
Vlan tagging is port based
by Zyxcel managed switches GS1900,
by switches like Mikrotiks CSS326-24G-2S+
and by accessports managed by caps-man
I try to compress the configuration from one of the RB4011 with only one bridge:
So I expect all packets coming with an vlan-tag. In fact, this router just works with E0-sfp and E1_Internet, the other bonded ports are not up. I thought I needed it, but now I devided to give the RB4011 a better place for WLAN, I just connect him by fiber optic cable, using E10 for an AP with PoE, and E1 for Internet Uplink - that might change in a next step to an VLAN, so that this cable can be omitted.
As there are no people at this moment in the building, there is not much traffic on the lines. But I get at this moment from a printer:
The "switch" the printer is connected to:
That's it.
The two bridges are in the RB3011, one for the left switch chip with vlan, the other for the right switch chip without vlan and filtering, so that the right ports can be connected with hardware offload.
I have some other networks with RB4011s, there I have just one bridge, but the same problem.
Vlan tagging is port based
by Zyxcel managed switches GS1900,
by switches like Mikrotiks CSS326-24G-2S+
and by accessports managed by caps-man
I try to compress the configuration from one of the RB4011 with only one bridge:
Code: Select all
/caps-man datapath
add client-to-client-forwarding=yes local-forwarding=yes name=VLAN100 vlan-id=100 vlan-mode=use-tag
add client-to-client-forwarding=no local-forwarding=yes name=VLAN200 vlan-id=200 vlan-mode=use-tag
add client-to-client-forwarding=no local-forwarding=yes name=VLAN500 vlan-id=500 vlan-mode=use-tag
/interface bridge
add frame-types=admit-only-vlan-tagged name=bridge_LAN vlan-filtering=yes
/interface vlan
add interface=bridge_LAN name=vlan100 vlan-id=100
add interface=bridge_LAN name=vlan200 vlan-id=200
add interface=bridge_LAN name=vlan500 vlan-id=500
add interface=bridge_LAN name=vlan800 vlan-id=800
add interface=bridge_LAN name=vlan900 vlan-id=900
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
#with all other, no vlan on switch chip ....
/ip pool
add name=pool100 ranges=192.168.102.1-192.168.110.253
add name=pool200 ranges=192.168.121.1-192.168.127.254
/ip dhcp-server
add address-pool=pool100 disabled=no interface=vlan100 name=dhcp100
add address-pool=pool200 disabled=no interface=vlan200 lease-time=1h name=dhcp200
#(There are dhcp servers for all vlans! Skipped for simlpy reading)
/interface bridge port
add bridge=bridge_LAN frame-types=admit-only-vlan-tagged ingress-filtering=yes interface="E10_AP" pvid=100
add bridge=bridge_LAN frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=E0-sfp_Uplink
add bridge=bridge_LAN frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=bond_1 pvid=100
add bridge=bridge_LAN interface=bond_Switch1
add bridge=bridge_LAN interface=bond_Switch2
add bridge=bridge_LAN frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=bond_2
# yes E1 is the internet-port, not connected to the bridge
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/interface bridge vlan
add bridge=bridge_LAN tagged="bridge_LAN,bond_Switch1,bond_Switch1,bond_2,bond_1,E0-sfp_Uplink,E10_AP" untagged=vlan100 vlan-ids=100
add bridge=bridge_LAN tagged="bridge_LAN,bond_Switch1,bond_Switch1,bond_2,bond_1,E0-sfp_Uplink,E10_AP" untagged=vlan200 vlan-ids=200
# Same for all other VLANs
/ip address
add address=192.168.100.1/20 comment="Main network" interface=vlan100 network=192.168.96.0
add address=192.168.120.1/20 comment="Public address system" interface=vlan200 network=192.168.112.0
add address=192.168.150.1/19 comment="Guests" interface=vlan500 network=192.168.128.0
# and some more
add address=192.168.100.2/20 comment="Routing-MASQ" interface=vlan100_Mitarbeiter network=192.168.96.0
add address=192.168.64.2/24 comment="External ip" interface=E1_Internet network=192.168.64.0
add address=192.168.100.3/20 comment="RoadWorrier Masq" interface=vlan100 network=192.168.96.0
/ip dhcp-server network
add address=192.168.96.0/20 comment=Main dns-server=192.168.100.1 gateway=192.168.100.1
add address=192.168.112.0/20 comment=Event_Tec dns-server=192.168.120.1 gateway=192.168.120.1
add address=192.168.128.0/19 comment=Guest dns-server=192.168.150.1 gateway=192.168.150.1
#...
/ip dns
set allow-remote-requests=yes servers=192.168.100.2,192.168.64.1
/ip firewall filter
add action=fasttrack-connection chain=forward comment="fasttrack" connection-state=established,related
add action=accept chain=forward comment="Acc Forw established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="Muticasts" dst-address=224.0.0.0/4 log-prefix=Multicast
add action=accept chain=forward log-prefix=Multicast src-address=224.0.0.0/4
add action=drop chain=forward comment="Drop Forw invalid" connection-state=invalid
add action=accept chain=forward comment="Own networks" dst-address=192.168.96.0/20 src-address=192.168.96.0/20
add action=accept chain=forward dst-address=192.168.112.0/20 src-address=192.168.112.0/20
add action=accept chain=forward dst-address=192.168.120.1 log-prefix="Guests only router" src-address=192.168.128.0/19
add action=accept chain=forward comment="Own network to internet" in-interface=vlan100 out-interface=E1_Internet src-address=192.168.96.0/20
add action=accept chain=forward in-interface=vlan200 out-interface=E1_Internet src-address=192.168.112.0/20
add action=accept chain=forward in-interface=vlan500 out-interface=E1_Internet src-address=192.168.128.0/19
# and for the other VLANs
add action=accept chain=forward comment="Allow router network all" log-prefix="From router/switch network" src-address=192.168.100.0/24
# These are the networking machines, they are allowed to do everything
add action=accept chain=input comment="Acc Input established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="Winbox Firewall" dst-port=8291 protocol=tcp
add action=accept chain=output log-prefix=Winbox protocol=tcp src-port=8291
add action=accept chain=input comment=OpenVPN dst-port=1194 protocol=tcp
add action=accept chain=output log-prefix="VPN Out" protocol=tcp src-port=1194
add action=accept chain=forward comment="Mikrotik Discovery" log=yes log-prefix="Mikrotik discovery rules" port=5678 protocol=udp src-address=192.168.96.0/20
add action=accept chain=forward log=yes log-prefix="Mikrotik Discovery do it" port=5678 protocol=udp src-address=192.168.112.0/20
add action=accept chain=forward dst-address=192.168.96.0/20 log=yes log-prefix="Mikrotik Discovery other way" port=5678 protocol=udp
add action=accept chain=forward dst-address=192.168.112.0/20 log=yes log-prefix="Mikrotik Discovery everything ok" port=5678 protocol=udp
add action=accept chain=forward port=5678 protocol=udp
# ovpnDZO not ready
add action=accept chain=forward comment="OVPN allow everything" in-interface=ovpnDZO log-prefix="OVPN allow all" src-address=192.168.201.0/24
add action=accept chain=forward in-interface=ovpn-DZO2 log-prefix="OVPN Welcome" src-address=192.168.201.0/24
#Ok, you see it: I'm outside the building, just connected via ovpn...
# ovpn-Ralf not ready
add action=accept chain=forward in-interface=ovpn-Ralf log-prefix="OVPN do everything you want" src-address=192.168.201.0/24
# and more OVPN
add action=accept chain=forward comment="Back OVPN_Network" dst-address=192.168.201.0/24
add action=drop chain=input comment="Drop Input invalid" connection-state=invalid
add action=accept chain=input comment="Acc ICMP" protocol=icmp
add action=accept chain=input comment="Acc loopback (i.e. CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="Acc ipsec-in" ipsec-policy=in,ipsec
add action=accept chain=forward comment="Acc ipsec-out" ipsec-policy=out,ipsec
add action=drop chain=forward comment="Drop WAN not asked for" connection-nat-state=!dstnat connection-state=new in-interface=E1_Internet
add action=drop chain=forward comment="Everything not allowed is forbidden" log=yes log-prefix="Not allowed!"
/ip firewall nat
add action=masquerade chain=srcnat comment="Masq outside" ipsec-policy=out,none out-interface=E1_Internet
add action=dst-nat chain=dstnat dst-address=192.168.100.2 to-addresses=192.168.64.1
add action=dst-nat chain=dstnat dst-address=192.168.120.100 in-interface=vlan200 to-addresses=192.168.100.100
add action=src-nat chain=srcnat src-address=192.168.201.0/24 to-addresses=192.168.100.3
/ip route
add distance=1 gateway=192.168.64.1
add distance=1 dst-address=192.168.1.0/24 gateway=192.168.100.20
add distance=1 dst-address=192.168.88.0/24 gateway=192.168.100.20
/routing pim interface
add alternative-subnets=192.168.112.0/20,192.168.96.0/20,192.168.128.0/19 \
interface=vlan200
/routing pim rp
add address=192.168.120.1
/system ntp client
set enabled=yes
As there are no people at this moment in the building, there is not much traffic on the lines. But I get at this moment from a printer:
I would expect:Not Allowed! forward: in:bridge_LAN(E0-sfp_Uplink) out:bridge_LAN(wlan5G), src-mac 00:1b:XX:XX:XX:XX, proto UDP, 192.168.102.11:138->255.255.255.255:138 len 229
No VLAN in the log, but it is the printer which got VLAN100 from a port tagged switch, and going to the RB4011 on a trunk port with vlan-filtering on.Not Allowed! forward: in:vlan100(E0-sfp_Uplink)...
The "switch" the printer is connected to:
Code: Select all
# model = RBD52G-5HacD2HnD
# skipped all wlan/caps configs
/interface bridge
add name=MainBridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=E1_Uplink
set [ find default-name=ether2 ] name=E2_Uplink
set [ find default-name=ether3 ] name=E3_Printer1
set [ find default-name=ether4 ] name=E4_Printer2
set [ find default-name=ether5 ] name=E5_PC
/interface vlan
add interface=MainBridge name=vlan100 vlan-id=100
/interface bonding
add link-monitoring=none mode=802.3ad name=bondUplink slaves=E1_Uplink,E2_Uplink transmit-hash-policy=layer-2-and-3
/interface bridge port
add bridge=MainBridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=bondUplink
add bridge=MainBridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=E4_Printer2 pvid=100
add bridge=MainBridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=E3_Printer1 pvid=100
add bridge=MainBridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=E5_PC pvid=100
add bridge=MainBridge interface=vlan100 pvid=100
/interface bridge vlan
# port with pvid added to untagged group which might cause problems, consider adding a seperate VLAN entry
add bridge=MainBridge tagged=MainBridge,bondUplink vlan-ids=101-199,201-499,501-799
add bridge=MainBridge tagged=MainBridge,bondUplink vlan-ids=200
add bridge=MainBridge tagged=MainBridge,bondUplink vlan-ids=500
add bridge=MainBridge tagged=MainBridge,bondUplink untagged=E3_Printer1,E4_Printer2,E5_PC,vlan100 vlan-ids=100
/ip address
add address=192.168.100.12/20 interface=vlan100 network=192.168.96.0
Re: Filtering VLANs
What a pity, as it is allowed to set there numbers in winbox 0..65535. But it makes sense, having an "and 0x0007" in this function.Other than that, the priority match condition gets those three CoS bits alone, so the range of values is 0..7.
Re: Filtering VLANs
Posted the configurations. Anything found?I'd have to see your complete configuration [...] So the actual issue may be somewhere else than you expect.
Re: Filtering VLANs
Yes, sorry it took so long.Anything found?
You have created a kind of L2 loop. Currently, the tagged end of /interface vlan "vlan100" is connected to the CPU-facing port of the MainBridge, and its untagged end is made another member port of the bridge.
The configuration export even warns you about that:
# port with pvid added to untagged group which might cause problems, consider adding a seperate VLAN entry
So remove the row bridge=MainBridge interface=vlan100 pvid=100 from /interface bridge port, and remove vlan100 from the untagged list on the row with vlan-ids=100 in /interface bridge vlan, and it should start working normally.
Re: Filtering VLANs
Thank you for your help, I removed all vlan-ports in /interface bridge (not the full row in vlan, just the entry, like:
)
Your answer help me understanding VLANs a little bit more, but...
See log:
Code: Select all
/interface bridge vlan
add bridge=bridge_LAN tagged="bridge_LAN,bond_Switch1,bond_Switch1,bond_2,bond_1,E0-sfp_Uplink,E10_AP" vlan-ids=100Your answer help me understanding VLANs a little bit more, but...
See log:
still exists. Incoming from the bridge, not with the vlan-port. Makes sence for me, because VLAN-Port is just passed if the packet goes to the CPU, and if the packet should be broadcasted to all ports, VLAN has not to be checked. I see these packets being switched to all running ports of the bridge, not accepting which VLAN they have! OK, 255.255.255.255 is a broadcast, but I wanted to separate the vlans not accepting any packets of other VLANs.forward: in:bridge_LAN(E0-sfp_Uplink) out:bridge_LAN(wlan5G), src-mac 00:1b:XX:XX:XX:XX, proto UDP, 192.168.102.11:5678->255.255.255.255:5678 len 166
Re: Filtering VLANs
Besides,
where the vlans have Caps with vlans (managed by capsman) inside this list (100-999). They want different vlans, where they connect dynamicly. If I have seperate entries for vlans, it works without this message - but - if I change the entry (seperating the vlans, leaving the entry with the message with changed vlans like the example) the message does not disappear. I need to remove the entry and make a new one. It took me a long time to find out.
You see it: the RB4011has the same config with the wrong vlan-config as the AP, but no message.
comes when I have# port with pvid added to untagged group which might cause problems, consider adding a seperate VLAN entry
Code: Select all
/interface bridge vlan
add bridge=MainBridge tagged=MainBridge,bondUplink vlan-ids=100-999You see it: the RB4011has the same config with the wrong vlan-config as the AP, but no message.
Re: Filtering VLANs
I've asked you for a complete configuration of the machine where you get the logs indicating forward: in:bridge_LAN(E0-sfp_Uplink) out:bridge_LAN(wlan5G), to see which rule generates these logs, and how the vlans and firewall handling is configured on that machine.
Instead, you've given me a configuration from another machine (as the interfaces mentioned in the log do not exist there). So I'm unable to find out what the real issue is.
Instead, you've given me a configuration from another machine (as the interfaces mentioned in the log do not exist there). So I'm unable to find out what the real issue is.
Re: Filtering VLANs
Hi Sindy,
yes, its true, the first part of the config missed, I'm sorry:
As all 700 lines might be too mutch, I skipping some lines in the other posting, specially of the capsman, just to show one line of the datapath so that everyone could see how the capsman makes the vlan decision. Unfortunately I erased too much lines.
Running interfaces on this machine are:
yes, its true, the first part of the config missed, I'm sorry:
Code: Select all
# oct/31/2020 21:16:53 by RouterOS 6.47.7
# software id = Personal
#
# model = RB4011iGS+5HacQ2HnD
# serial number = Personal
/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2412,2432,2452,2472 name=2Gch1-5-9-13 save-selected=yes tx-power=-7
add band=5ghz-n/ac extension-channel=disabled frequency=5180,5200,5220,5240,5260,5280,5300,5320,5500,5520,5540,5560 name=5G save-selected=yes
/caps-man rates
add basic=12Mbps name=rate2G supported=12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps
/caps-man security
add authentication-types=wpa2-psk disable-pmkid=yes encryption=aes-ccm group-encryption=aes-ccm group-key-update=5m name=Stuff
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm group-key-update=5m name=Guest
add name=Free
add authentication-types=wpa2-psk disable-pmkid=yes encryption=aes-ccm group-encryption=aes-ccm group-key-update=5m name=Tec
/caps-man configuration
add channel=2Gch1-5-9-13 country=germany datapath=VLAN200 mode=ap multicast-helper=full name=Tec_2G rates=rate2G security=Tec ssid=Tec-2G
add channel=5G country=germany datapath=VLAN200 mode=ap multicast-helper=full name=Tec_5G security=Tec ssid=Tec-5G
add channel=2Gch1-5-9-13 country=germany datapath=VLAN100 mode=ap multicast-helper=full name="Stuff 2G" rates=rate2G security=Stuff ssid=Stuff
add channel=5G country=germany datapath=VLAN100 mode=ap multicast-helper=full name="Stuff 5G" security=Stuff ssid=Stuff
add channel=2Gch1-5-9-13 country=germany datapath=VLAN500 mode=ap multicast-helper=full name="Guest 2G" rates=rate2G security=Guest ssid=Guest
add channel=5G country=germany datapath=VLAN500 mode=ap multicast-helper=full name="Guest 5G" security=Guest ssid=Guest
/interface wireless cap
#
set bridge=bridge_LAN certificate=request discovery-interfaces=vlan200 enabled=yes interfaces=wlan2G,wlan5G
/interface wireless
# managed by CAPsMAN
# channel: 2412/20/gn(-10dBm), SSID: Stuff, local forwarding
set [ find default-name=wlan2 ] disabled=no name=wlan2G ssid=MikroTik
# managed by CAPsMAN
# channel: 5180/20/ac/P(20dBm), SSID: Stuff, local forwarding
set [ find default-name=wlan1 ] disabled=no name=wlan5G ssid=MikroTik
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes upgrade-policy=suggest-same-version
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=ac master-configuration="Stuff 5G" name-format=prefix-identity name-prefix=cap5G slave-configurations="Tec_5G,Guest 5G"
add action=create-dynamic-enabled hw-supported-modes=gn identity-regexp=.*Rest.* master-configuration="Stuff 2G" name-format=prefix-identity name-prefix=capR2G slave-configurations="Guest 2G,Stuff 2G"
add action=create-dynamic-enabled hw-supported-modes=gn identity-regexp=.*Tec.* master-configuration=Tec_2G name-format=prefix-identity name-prefix=capT2G
add action=create-dynamic-enabled hw-supported-modes=g,gn identity-regexp=.*All.* master-configuration="Stuff 2G" name-format=prefix-identity name-prefix=cap2G slave-configurations="Tec_2G,Guest 2G"
add action=create-dynamic-enabled disabled=yes hw-supported-modes=gn master-configuration="Stuff 2G" name-format=prefix-identity name-prefix=cap2G slave-configurations="Tec_2G,Guest 2G"
/interface bonding
add link-monitoring=none mode=802.3ad name=bond_Switch1 slaves=E2_BUp_Sw11,E3_BUp_Sw12 transmit-hash-policy=layer-2-and-3
add link-monitoring=none mode=802.3ad name=bond_Switch2 slaves=E4_BUp_Sw21,E5_BUp_Sw22 transmit-hash-policy=layer-2-and-3
add link-monitoring=none mode=802.3ad name=bond_bond_1 slaves=E6_BUp_11,E7_BUp_12 transmit-hash-policy=layer-2-and-3
add link-monitoring=none mode=802.3ad name=bond_bond_2 slaves=E8_BUp_13,E9_BUp_14 transmit-hash-policy=layer-2-and-3
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] name=E0-sfp_Uplink
set [ find default-name=ether1 ] name=E1_Internet
set [ find default-name=ether2 ] name=E2_BUp_Sw11
set [ find default-name=ether3 ] name=E3_BUp_Sw12
set [ find default-name=ether4 ] name=E4_BUp_Sw21
set [ find default-name=ether5 ] name=E5_BUp_Sw22
set [ find default-name=ether6 ] name=E6_BUp_11
set [ find default-name=ether7 ] name=E7_BUp_12
set [ find default-name=ether8 ] name=E8_BUp_21
set [ find default-name=ether9 ] name=E9_BUp_22
set [ find default-name=ether10 ] name=E10_AP poe-out=forced-on
/interface ovpn-server
add name=ovpnDZ0 user=DZ0
add name=ovpn-DZ02 user=DZ2
add name=ovpn-Florian user=Florian
add name=ovpn-Ralf user=Ralf
/caps-man datapath
add client-to-client-forwarding=yes local-forwarding=yes name=VLAN100 vlan-id=100 vlan-mode=use-tag
add client-to-client-forwarding=no local-forwarding=yes name=VLAN200 vlan-id=200 vlan-mode=use-tag
add client-to-client-forwarding=no local-forwarding=yes name=VLAN500 vlan-id=500 vlan-mode=use-tag
Running interfaces on this machine are:
- E0-sfp_Uplink - Connected to the switch CSS326-24G-2S+ with VLAN Management (Trunk-Ports with VLAN in and out, and Access-Ports with just one VLAN, out and in)
- E1_Internet - Maybe this interface will be replaced by a VLAN
- E10_AP - Connected to a RBcAPGi-5acD2nD (because this port has of PoE)
Re: Filtering VLANs
Your input is chaotic, and I'm losing my patience. The first configuration you've posted is from a hAP ac², the second (partial) one is from the 4011 (different Ethernet interface names are used), and everything regarding bridge is missing there.
Assuming that the hAP ac² is what you call the "external switch", it looks fine, the uplink bond is a tagged member of all VLANs used (including VLAN 100), and only ports ether3, ether4, ether5 are access ports to vlan 100.
As tagged frames are invisible to IP firewall, there must be something in the 4011's configuration that makes them arrive tagless already to teh bridge. Either the external switch is something else than the hAP ac², and its uplink port is configured differently so one of the VLANs arrives untagged already to the 4011's port, or you have the VID of some VLAN configured as the pvid of the bridge in the 4011, which causes the frames to get untagged already on ingress although they are tagged on the wire.
Without seeing the real configuration of the 4011, I cannot tell you more.
Running /tool sniffer quick interface=the-one-to-which-the-external-switch-is-connected on the 4011 will show you whether the frames of the VLAN you're looking at arrive tagged or tagless.
Assuming that the hAP ac² is what you call the "external switch", it looks fine, the uplink bond is a tagged member of all VLANs used (including VLAN 100), and only ports ether3, ether4, ether5 are access ports to vlan 100.
As tagged frames are invisible to IP firewall, there must be something in the 4011's configuration that makes them arrive tagless already to teh bridge. Either the external switch is something else than the hAP ac², and its uplink port is configured differently so one of the VLANs arrives untagged already to the 4011's port, or you have the VID of some VLAN configured as the pvid of the bridge in the 4011, which causes the frames to get untagged already on ingress although they are tagged on the wire.
Without seeing the real configuration of the 4011, I cannot tell you more.
Running /tool sniffer quick interface=the-one-to-which-the-external-switch-is-connected on the 4011 will show you whether the frames of the VLAN you're looking at arrive tagged or tagless.
Re: Filtering VLANs
Hello sindy,
I don't want to get you to loose your patience, so you get here the full config of the 4011 - all lines:
Its a little bit changed to the former ones, as the fault you said to me (Remove vlans from untagged list and some more minor points)
And now one new log without VLAN:
Its just a a DHCP Discover message from one client connected to one of the hAP ac² with datapath VLAN500. This one is not connected to E10_AP but to E0-sfp_Uplink.
But it doesn't matter where it comes from. As the config of E0 is
frame-types=admit-only-vlan-tagged ingress-filtering=yes it must have a vlan incoming. And the dhcp-server for VLAN500 on the input chain gives him the right IP:
And I can see, it just touches the wlan ports with vlan500:
(For all interested readers, who askes themselves "Where is wlan13 and wlan6? Don't see them in the config." -> They are dynamic ports from the capsman, he makes a few dynamic interfaces, and they just become numbers.)
See
/interface bridge VLAN:
and the /interface bridge port
So I do not think its a problem of the switch the packet passes before the 4011. It did not touch the other ports like wlan2G or wlan14. I can't check this with a tool at this moment because there is nearly no traffic, the packet in the log is a little bit old. And on the other hand it doesn't make sence when a packet just forwards to the ports of vlan 500 and no other ports, it might have vlan 500.
So why doesn't this packet get an in:vlan500(E0-sfp_Uplink), just an in:bridge_LAN(E0-sfp_Uplink) ?!?
Now it is a really long posting with a long config, but hopefully all Informations are now in this posting. Splitting the config in two postings or skipping lines was a really bad idea, sorry.
I don't want to get you to loose your patience, so you get here the full config of the 4011 - all lines:
Its a little bit changed to the former ones, as the fault you said to me (Remove vlans from untagged list and some more minor points)
Code: Select all
# nov/07/2020 23:38:48 by RouterOS 6.47.7
# software id = privat
#
# model = RB4011iGS+5HacQ2HnD
# serial number = privat
/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2412,2432,2452,2472 name=2Gch1-5-9-13 save-selected=yes tx-power=-7
add band=5ghz-n/ac extension-channel=disabled frequency=5180,5200,5220,5240,5260,5280,5300,5320,5500,5520,5540,5560 name=5G save-selected=yes
/caps-man datapath
add client-to-client-forwarding=yes local-forwarding=yes name=VLAN100 vlan-id=100 vlan-mode=use-tag
add client-to-client-forwarding=no local-forwarding=yes name=VLAN200 vlan-id=200 vlan-mode=use-tag
add client-to-client-forwarding=no local-forwarding=yes name=VLAN500 vlan-id=500 vlan-mode=use-tag
/interface bridge
add frame-types=admit-only-vlan-tagged name=bridge_LAN vlan-filtering=yes
/interface wireless
# managed by CAPsMAN
# channel: 2412/20/gn(-10dBm), SSID: Stuff, local forwarding
set [ find default-name=wlan2 ] disabled=no name=wlan2G ssid=MikroTik
# managed by CAPsMAN
# channel: 5180/20/ac/P(20dBm), SSID: Stuff, local forwarding
set [ find default-name=wlan1 ] disabled=no name=wlan5G ssid=MikroTik
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] name=E0-sfp_Uplink
set [ find default-name=ether1 ] name=E1_Internet
set [ find default-name=ether2 ] name=E2_BUp_Sw11
set [ find default-name=ether3 ] name=E3_BUp_Sw12
set [ find default-name=ether4 ] name=E4_BUp_Sw21
set [ find default-name=ether5 ] name=E5_BUp_Sw22
set [ find default-name=ether6 ] name=E6_BUp_11
set [ find default-name=ether7 ] name=E7_BUp_12
set [ find default-name=ether8 ] name=E9_BUp_21
set [ find default-name=ether9 ] name=E9_BUp_22
set [ find default-name=ether10 ] name="E10_AP" poe-out=forced-on
/interface ovpn-server
add name=ovpnDZO2 user=DirkLT
add name=ovpnDZO user=DirkPC
add name=ovpn-Florian user=Florian
add name=ovpn-Ralf user=Ralf
/interface vlan
add interface=bridge_LAN name=vlan100 vlan-id=100
add interface=bridge_LAN name=vlan200 vlan-id=200
add interface=bridge_LAN name=vlan500 vlan-id=500
add interface=bridge_LAN name=vlan800 vlan-id=800
add interface=bridge_LAN name=vlan900 vlan-id=900
/interface bonding
add link-monitoring=none mode=802.3ad name=bond_1 slaves=E2_BUp_Sw11,E3_BUp_Sw12 transmit-hash-policy=layer-2-and-3
add link-monitoring=none mode=802.3ad name=bond_2 slaves=E9_BUp_21,E9_BUp_22 transmit-hash-policy=layer-2-and-3
add link-monitoring=none mode=802.3ad name=bond_Switch1 slaves=E6_BUp_11,E7_BUp_12 transmit-hash-policy=layer-2-and-3
add link-monitoring=none mode=802.3ad name=bond_Switch2 slaves=E4_BUp_Sw21,E5_BUp_Sw22 transmit-hash-policy=layer-2-and-3
/caps-man rates
add basic=12Mbps name=rate2G supported=12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps
/caps-man security
add authentication-types=wpa2-psk disable-pmkid=yes encryption=aes-ccm group-encryption=aes-ccm group-key-update=5m name=Stuff
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm group-key-update=5m name=Guest
add name=Free
add authentication-types=wpa2-psk disable-pmkid=yes encryption=aes-ccm group-encryption=aes-ccm group-key-update=5m name=Tec
/caps-man configuration
add channel=2Gch1-5-9-13 country=germany datapath=VLAN200 mode=ap multicast-helper=full name=Tec_2G rates=rate2G security=Tec ssid=Tec-2G
add channel=5G country=germany datapath=VLAN200 mode=ap multicast-helper=full name=Tec_5G security=Tec ssid=Tec-5G
add channel=2Gch1-5-9-13 country=germany datapath=VLAN100 mode=ap multicast-helper=full name="Stuff 2G" rates=rate2G security=Stuff ssid=Stuff
add channel=5G country=germany datapath=VLAN100 mode=ap multicast-helper=full name="Stuff 5G" security=Stuff ssid=Stuff
add channel=2Gch1-5-9-13 country=germany datapath=VLAN500 mode=ap multicast-helper=full name="Guest 2G" rates=rate2G security=Guest ssid=Guest
add channel=5G country=germany datapath=VLAN500 mode=ap multicast-helper=full name="Guest 5G" security=Guest ssid=Guest
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool100 ranges=192.168.102.1-192.168.110.253
add name=pool200 ranges=192.168.121.1-192.168.127.254
add name=pool500 ranges=192.168.130.1-192.168.149.253
add name=pool800 ranges=192.168.181.1-192.168.183.253
add name=pool900 ranges=192.168.184.1-192.168.189.254
add name=pool201.64ovpnMaster ranges=192.168.201.253-192.168.201.254
add name=pool201.63ovpnMaster next-pool=pool201.64ovpnMaster ranges=192.168.201.249-192.168.201.250
add name=pool201.62ovpnMaster next-pool=pool201.63ovpnMaster ranges=192.168.201.245-192.168.201.246
add name=pool201.61ovpnMaster next-pool=pool201.62ovpnMaster ranges=192.168.201.241-192.168.201.242
add name=pool201.60ovpnMaster next-pool=pool201.61ovpnMaster ranges=192.168.201.237-192.168.201.238
add name=pool201.59ovpnMaster next-pool=pool201.60ovpnMaster ranges=192.168.201.233-192.168.201.234
add name=pool201.58ovpnMaster next-pool=pool201.59ovpnMaster ranges=192.168.201.229-192.168.201.230
add name=pool201.57ovpnMaster next-pool=pool201.58ovpnMaster ranges=192.168.201.225-192.168.201.226
add name=pool201.56ovpnMaster next-pool=pool201.57ovpnMaster ranges=192.168.201.221-192.168.201.222
add name=pool201.55ovpnMaster next-pool=pool201.56ovpnMaster ranges=192.168.201.217-192.168.201.218
add name=pool201.54ovpnMaster next-pool=pool201.55ovpnMaster ranges=192.168.201.213-192.168.201.214
add name=pool201.53ovpnMaster next-pool=pool201.54ovpnMaster ranges=192.168.201.209-192.168.201.210
add name=pool201.52ovpnMaster next-pool=pool201.53ovpnMaster ranges=192.168.201.205-192.168.201.206
add name=pool201.51ovpnMaster next-pool=pool201.52ovpnMaster ranges=192.168.201.201-192.168.201.202
add name=pool201.50ovpnMaster next-pool=pool201.51ovpnMaster ranges=192.168.201.197-192.168.201.198
add name=pool201.49ovpnMaster next-pool=pool201.50ovpnMaster ranges=192.168.201.193-192.168.201.194
add name=pool201.48ovpnMaster next-pool=pool201.49ovpnMaster ranges=192.168.201.189-192.168.201.190
add name=pool201.47ovpnMaster next-pool=pool201.48ovpnMaster ranges=192.168.201.185-192.168.201.186
add name=pool201.46ovpnMaster next-pool=pool201.47ovpnMaster ranges=192.168.201.181-192.168.201.182
add name=pool201.45ovpnMaster next-pool=pool201.46ovpnMaster ranges=192.168.201.177-192.168.201.178
add name=pool201.44ovpnMaster next-pool=pool201.45ovpnMaster ranges=192.168.201.173-192.168.201.174
add name=pool201.43ovpnMaster next-pool=pool201.44ovpnMaster ranges=192.168.201.169-192.168.201.170
add name=pool201.42ovpnMaster next-pool=pool201.43ovpnMaster ranges=192.168.201.165-192.168.201.166
add name=pool201.41ovpnMaster next-pool=pool201.42ovpnMaster ranges=192.168.201.161-192.168.201.162
add name=pool201.40ovpnMaster next-pool=pool201.41ovpnMaster ranges=192.168.201.157-192.168.201.158
add name=pool201.39ovpnMaster next-pool=pool201.40ovpnMaster ranges=192.168.201.153-192.168.201.154
add name=pool201.38ovpnMaster next-pool=pool201.39ovpnMaster ranges=192.168.201.149-192.168.201.150
add name=pool201.37ovpnMaster next-pool=pool201.38ovpnMaster ranges=192.168.201.145-192.168.201.146
add name=pool201.36ovpnMaster next-pool=pool201.37ovpnMaster ranges=192.168.201.141-192.168.201.142
add name=pool201.35ovpnMaster next-pool=pool201.36ovpnMaster ranges=192.168.201.137-192.168.201.138
add name=pool201.34ovpnMaster next-pool=pool201.35ovpnMaster ranges=192.168.201.133-192.168.201.134
add name=pool201.33ovpnMaster next-pool=pool201.34ovpnMaster ranges=192.168.201.129-192.168.201.130
add name=pool201.32ovpnMaster next-pool=pool201.33ovpnMaster ranges=192.168.201.125-192.168.201.126
add name=pool201.31ovpnMaster next-pool=pool201.32ovpnMaster ranges=192.168.201.121-192.168.201.122
add name=pool201.30ovpnMaster next-pool=pool201.31ovpnMaster ranges=192.168.201.117-192.168.201.118
add name=pool201.29ovpnMaster next-pool=pool201.30ovpnMaster ranges=192.168.201.113-192.168.201.114
add name=pool201.28ovpnMaster next-pool=pool201.29ovpnMaster ranges=192.168.201.109-192.168.201.110
add name=pool201.27ovpnMaster next-pool=pool201.28ovpnMaster ranges=192.168.201.105-192.168.201.106
add name=pool201.26ovpnMaster next-pool=pool201.27ovpnMaster ranges=192.168.201.101-192.168.201.102
add name=pool201.25ovpnMaster next-pool=pool201.26ovpnMaster ranges=192.168.201.97-192.168.201.98
add name=pool201.24ovpnMaster next-pool=pool201.25ovpnMaster ranges=192.168.201.93-192.168.201.94
add name=pool201.23ovpnMaster next-pool=pool201.24ovpnMaster ranges=192.168.201.89-192.168.201.90
add name=pool201.22ovpnMaster next-pool=pool201.23ovpnMaster ranges=192.168.201.85-192.168.201.86
add name=pool201.21ovpnMaster next-pool=pool201.22ovpnMaster ranges=192.168.201.81-192.168.201.82
add name=pool201.20ovpnMaster next-pool=pool201.21ovpnMaster ranges=192.168.201.77-192.168.201.78
add name=pool201.19ovpnMaster next-pool=pool201.20ovpnMaster ranges=192.168.201.73-192.168.201.74
add name=pool201.18ovpnMaster next-pool=pool201.19ovpnMaster ranges=192.168.201.69-192.168.201.70
add name=pool201.17ovpnMaster next-pool=pool201.18ovpnMaster ranges=192.168.201.65-192.168.201.66
add name=pool201.16ovpnMaster next-pool=pool201.17ovpnMaster ranges=192.168.201.61-192.168.201.62
add name=pool201.15ovpnMaster next-pool=pool201.16ovpnMaster ranges=192.168.201.57-192.168.201.58
add name=pool201.14ovpnMaster next-pool=pool201.15ovpnMaster ranges=192.168.201.53-192.168.201.54
add name=pool201.13ovpnMaster next-pool=pool201.14ovpnMaster ranges=192.168.201.49-192.168.201.50
add name=pool201.12ovpnMaster next-pool=pool201.13ovpnMaster ranges=192.168.201.45-192.168.201.46
add name=pool201.11ovpnMaster next-pool=pool201.12ovpnMaster ranges=192.168.201.41-192.168.201.42
add name=pool201.10ovpnMaster next-pool=pool201.11ovpnMaster ranges=192.168.201.37-192.168.201.38
add name=pool201.09ovpnMaster next-pool=pool201.10ovpnMaster ranges=192.168.201.33-192.168.201.34
add name=pool201.08ovpnMaster next-pool=pool201.09ovpnMaster ranges=192.168.201.29-192.168.201.30
add name=pool201.07ovpnMaster next-pool=pool201.08ovpnMaster ranges=192.168.201.25-192.168.201.26
add name=pool201.06ovpnMaster next-pool=pool201.07ovpnMaster ranges=192.168.201.21-192.168.201.22
add name=pool201.05ovpnMaster next-pool=pool201.06ovpnMaster ranges=192.168.201.17-192.168.201.18
add name=pool201.04ovpnMaster next-pool=pool201.05ovpnMaster ranges=192.168.201.13-192.168.201.14
add name=pool201.03ovpnMaster next-pool=pool201.04ovpnMaster ranges=192.168.201.9-192.168.201.10
add name=pool201.02ovpnMaster next-pool=pool201.03ovpnMaster ranges=192.168.201.5-192.168.201.6
add comment=Master-OpenVPN-Port name=pool201.01ovpnMaster next-pool=pool201.02ovpnMaster ranges=192.168.201.1-192.168.201.2
/ip dhcp-server
add address-pool=pool100 disabled=no interface=vlan100 name=dhcp100
add address-pool=pool200 disabled=no interface=vlan200 lease-time=1h name=dhcp200
add address-pool=pool500 disabled=no interface=vlan500 lease-time=30m name=dhcp500
add address-pool=pool800 disabled=no interface=vlan800 name=dhcp800
add address-pool=pool900 disabled=no interface=vlan900 name=dhcp900
/ppp profile
add dns-server=192.168.100.1 local-address=pool201.01ovpnMaster name=RoadWarrior remote-address=pool201.01ovpnMaster use-compression=no use-encryption=required wins-server=192.168.100.1
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes upgrade-policy=suggest-same-version
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=ac master-configuration="Stuff 5G" name-format=prefix-identity name-prefix=cap5G slave-configurations="Tec_5G,Guest 5G"
add action=create-dynamic-enabled hw-supported-modes=gn identity-regexp=.*Rest.* master-configuration="Stuff 2G" name-format=prefix-identity name-prefix=capR2G slave-configurations="Guest 2G,Stuff 2G"
add action=create-dynamic-enabled hw-supported-modes=gn identity-regexp=.*Tec.* master-configuration=Tec_2G name-format=prefix-identity name-prefix=capT2G
add action=create-dynamic-enabled hw-supported-modes=g,gn identity-regexp=.*All.* master-configuration="Stuff 2G" name-format=prefix-identity name-prefix=cap2G slave-configurations="Tec_2G,Guest 2G"
add action=create-dynamic-enabled disabled=yes hw-supported-modes=gn master-configuration="Stuff 2G" name-format=prefix-identity name-prefix=cap2G slave-configurations="Tec_2G,Guest 2G"
/interface bridge filter
add action=mark-packet chain=forward in-interface=E0-sfp_Uplink log-prefix=PacketMark mac-protocol=vlan new-packet-mark=VLAN100 vlan-id=100
/interface bridge port
add bridge=bridge_LAN frame-types=admit-only-vlan-tagged ingress-filtering=yes interface="E10_AP" pvid=100
add bridge=bridge_LAN frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=E0-sfp_Uplink
add bridge=bridge_LAN frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=bond_1 pvid=100
add bridge=bridge_LAN interface=bond_Switch1
add bridge=bridge_LAN interface=bond_Switch2
add bridge=bridge_LAN frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=bond_2
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/interface bridge vlan
add bridge=bridge_LAN tagged="bridge_LAN,bond_Switch1,bond_Switch2,bond_2,bond_1,E0-sfp_Uplink,E10_AP" vlan-ids=100
add bridge=bridge_LAN tagged="bridge_LAN,E10_AP,bond_1,bond_Switch1,bond_Switch2,bond_2,E0-sfp_Uplink" vlan-ids=200
add bridge=bridge_LAN tagged="bridge_LAN,E10_AP,bond_1,bond_Switch1,bond_Switch2,bond_2,E0-sfp_Uplink" vlan-ids=500
add bridge=bridge_LAN tagged=bridge_LAN,bond_Switch1,bond_Switch2,E0-sfp_Uplink vlan-ids=800
add bridge=bridge_LAN tagged=bridge_LAN,bond_Switch2,bond_Switch1,E0-sfp_Uplink vlan-ids=900
/interface list member
add interface=E1_Internet list=WAN
/interface ovpn-server server
set auth=sha1 certificate=ourOwnCertificat.crt_0 cipher=aes256 default-profile=RoadWarrior enabled=yes mode=ethernet netmask=20 require-client-certificate=yes
/interface wireless cap
#
set bridge=bridge_LAN certificate=request discovery-interfaces=vlan200 enabled=yes interfaces=wlan2G,wlan5G
/ip address
add address=192.168.100.1/20 comment="Main network" interface=vlan100 network=192.168.96.0
add address=192.168.120.1/20 comment="Public address system" interface=vlan200 network=192.168.112.0
add address=192.168.150.1/19 comment="Guests" interface=vlan500 network=192.168.128.0
add address=192.168.180.1/21 comment="Small Net" interface=vlan800 network=192.168.176.0
add address=192.168.190.1/23 comment="Big Net" interface=vlan900 network=192.168.190.0
add address=192.168.100.2/20 comment="Routing-MASQ" interface=vlan100 network=192.168.96.0
add address=192.168.64.2/24 comment="External ip" interface=E1_Internet network=192.168.64.0
add address=192.168.100.3/20 comment="RoadWarrior Masq" interface=vlan100 network=192.168.96.0
/ip dhcp-server lease
add address=192.168.100.100 client-id=1:5c:f4:ab:e4:c0:8f comment="Server1" mac-address=5C:F4:XX:XX:XX:XX server=dhcp100
add address=192.168.120.101 client-id=1:94:db:XX:XX:XX:XX comment="Tec Video SmallHall" mac-address=94:DB:XX:XX:XX:XX server=dhcp200
add address=192.168.120.102 client-id=1:94:db:XX:XX:XX:XX comment="Tec Video BigHall" mac-address=94:DB:XX:XX:XX:XX server=dhcp200
add address=192.168.100.110 client-id=1:ec:XX:XX:XX:XX comment="Printer" mac-address=EC:9A:XX:XX:XX:XX server=dhcp100
add address=192.168.100.111 client-id=1:0:1b:XX:XX:XX:XX mac-address=00:1B:XX:XX:XX:XX server=dhcp100
/ip dhcp-server network
add address=192.168.96.0/20 comment=Main dns-server=192.168.100.1 gateway=192.168.100.1
add address=192.168.112.0/20 comment=Event_Tec dns-server=192.168.120.1 gateway=192.168.120.1
add address=192.168.128.0/19 comment=Guest dns-server=192.168.150.1 gateway=192.168.150.1
add address=192.168.176.0/21 comment="Small Net" dns-server=192.168.180.1 gateway=192.168.180.1
add address=192.168.190.0/23 comment="Big Net" dns-server=192.168.190.1 gateway=192.168.190.1
/ip dns
set allow-remote-requests=yes servers=192.168.100.2,192.168.64.1
/ip firewall filter
add action=fasttrack-connection chain=forward comment="fasttrack" connection-state=established,related
add action=accept chain=forward comment="Acc Forw established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="Muticasts" dst-address=224.0.0.0/4 log-prefix=Multicast
add action=accept chain=forward log-prefix=Multicast src-address=224.0.0.0/4
add action=drop chain=forward comment="Drop Forw invalid" connection-state=invalid
add action=accept chain=forward comment="Own networks" dst-address=192.168.96.0/20 log-prefix=StuffNet src-address=192.168.96.0/20
add action=accept chain=forward dst-address=192.168.112.0/20 log-prefix=TecNet src-address=192.168.112.0/20
add action=accept chain=forward dst-address=192.168.176.0/21 log-prefix=SmallNet src-address=192.168.176.0/21
add action=accept chain=forward dst-address=192.168.190.0/23 log-prefix=BigNet src-address=192.168.190.0/23
add action=accept chain=forward dst-address=192.168.120.1 log-prefix="Guests only router" src-address=192.168.128.0/19
add action=accept chain=forward comment="Own network to internet" in-interface=vlan100 log-prefix=StuffNet out-interface=E1_Internet src-address=192.168.96.0/20
add action=accept chain=forward in-interface=vlan200 log-prefix=TecNet out-interface=E1_Internet src-address=192.168.112.0/20
add action=accept chain=forward in-interface=vlan500 log-prefix=Guests out-interface=E1_Internet src-address=192.168.128.0/19
add action=accept chain=forward in-interface=vlan800 log-prefix=SmallNet out-interface=E1_Internet src-address=192.168.176.0/21
add action=accept chain=forward in-interface=vlan900 log-prefix=BigNet out-interface=E1_Internet src-address=192.168.190.0/23
add action=accept chain=forward comment="Allow router network all" log-prefix="From router/switch network" src-address=192.168.100.0/24
add action=accept chain=input comment="Acc Input established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="Winbox Firewall" dst-port=8291 protocol=tcp
add action=accept chain=output log-prefix=Winbox->DirksLT protocol=tcp src-port=8291
add action=accept chain=input comment=OpenVPN dst-port=1194 log-prefix="VPN In" protocol=tcp
add action=accept chain=output log-prefix="VPN Out" protocol=tcp src-port=1194
add action=accept chain=forward comment="Mikrotik Discovery" log-prefix="Mikrotik Discovery rules" port=5678 protocol=udp src-address=192.168.96.0/20
add action=accept chain=forward log-prefix="Mikrotik Discovery do it" port=5678 protocol=udp src-address=192.168.112.0/20
add action=accept chain=forward dst-address=192.168.96.0/20 log-prefix="Mikrotik Discovery other way" port=5678 protocol=udp
add action=accept chain=forward dst-address=192.168.112.0/20 log-prefix="Mikrotik Discovery everything ok" port=5678 protocol=udp
add action=accept chain=forward log-prefix="Mikrotik Diskover all" port=5678 protocol=udp
# ovpnDZO not ready
add action=accept chain=forward comment="OVPN allow everything" in-interface=ovpnDZO log-prefix="OVPN allow all" src-address=192.168.201.0/24
add action=accept chain=forward in-interface=ovpnDZO2 log-prefix="OVPN Welcome" src-address=192.168.201.0/24
# ovpn-Ralf not ready
add action=accept chain=forward in-interface=ovpn-Ralf log-prefix="OVPN do everything you want" src-address=192.168.201.0/24
# ovpn-Florian not ready
add action=accept chain=forward in-interface=ovpn-Florian log-prefix="OVPN do everything too" src-address=192.168.201.0/24
add action=accept chain=forward comment="Back OVPN_Network" dst-address=192.168.201.0/24 log-prefix="Back OVPN_Network"
add action=drop chain=input comment="Drop Input invalid" connection-state=invalid
add action=accept chain=input comment="Acc ICMP" protocol=icmp
add action=accept chain=input comment="Acc loopback (i.e. CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="Drop all not LAN - Disabled" disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="Acc ipsec-in" ipsec-policy=in,ipsec
add action=accept chain=forward comment="Acc ipsec-out" ipsec-policy=out,ipsec
add action=drop chain=forward comment="Drop WAN not asked for" connection-nat-state=!dstnat connection-state=new in-interface=E1_Internet
add action=drop chain=forward comment="Everything not allowed is forbidden" log=yes log-prefix="Not allowed!"
/ip firewall mangle
add action=log chain=forward log-prefix="Test IP1:" src-address=192.168.10.1
add action=log chain=prerouting dst-address=192.168.100.1 log-prefix="Test IP2:" src-address=192.168.127.200
add action=mark-packet chain=prerouting dst-address=192.168.112.0/20 new-packet-mark=Tec passthrough=yes
add action=mark-packet chain=prerouting new-packet-mark=Tec passthrough=yes src-address=192.168.112.0/20
add action=mark-packet chain=prerouting dst-address=192.168.128.0/20 new-packet-mark=Guests passthrough=yes
add action=mark-packet chain=prerouting new-packet-mark=Guests passthrough=yes src-address=192.168.128.0/20
/ip firewall nat
add action=masquerade chain=srcnat comment="Masq outside" ipsec-policy=out,none out-interface=E1_Internet
add action=dst-nat chain=dstnat comment=Routing-MASQ dst-address=192.168.100.2 to-addresses=192.168.64.1
add action=dst-nat chain=dstnat comment="Machines for TecNet: Server, Printer" dst-address=192.168.120.100 in-interface=vlan200 to-addresses=192.168.100.100
add action=dst-nat chain=dstnat dst-address=192.168.120.110 in-interface=vlan200 to-addresses=192.168.100.110
add action=dst-nat chain=dstnat dst-address=192.168.120.111 in-interface=vlan200 to-addresses=192.168.100.111
add action=src-nat chain=srcnat comment="Road Warrior" src-address=192.168.201.0/24 to-addresses=192.168.100.3
/ip route
add distance=1 gateway=192.168.64.1
add distance=1 dst-address=192.168.1.0/24 gateway=192.168.100.20
add distance=1 dst-address=192.168.88.0/24 gateway=192.168.100.20
/ppp secret
add name=DZO profile=RoadWarrior
add name=Florian profile=RoadWarrior service=ovpn
add name=DZO1 profile=RoadWarrior
add name=Ralf profile=RoadWarrior
/routing pim interface
add alternative-subnets=192.168.112.0/20,192.168.96.0/20,192.168.128.0/19 interface=vlan100
add alternative-subnets=192.168.112.0/20,192.168.96.0/20,192.168.128.0/19 interface=vlan200
/routing pim rp
add address=192.168.120.1
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=Router_All
/system leds
add interface=wlan2G leds="wlan2G_signal1-led,wlan2G_signal2-led,wlan2G_signal3-led,wlan2G_signal4-led,wlan2G_signal5-led" type=wireless-signal-strength
add interface=wlan2G leds=wlan2G_tx-led type=interface-transmit
add interface=wlan2G leds=wlan2G_rx-led type=interface-receive
/system logging
add disabled=yes topics=debug,!ntp
/system ntp client
set enabled=yes primary-ntp=192.53.103.108 secondary-ntp=192.53.103.104 server-dns-names=192.168.100.1
/system script
add dont-require-permissions=no name=script1 owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/ip pool\r\n
add name=pool201.64ovpnMaster ranges=192.168.201.253-192.168.201.254\r\n
add name=pool201.63ovpnMaster next-pool=pool201.64ovpnMaster ranges=192.168.201.249-192.168.201.250\r\n
add name=pool201.62ovpnMaster next-pool=pool201.63ovpnMaster ranges=192.168.201.245-192.168.201.246\r\n
add name=pool201.61ovpnMaster next-pool=pool201.62ovpnMaster ranges=192.168.201.241-192.168.201.242\r\n
add name=pool201.60ovpnMaster next-pool=pool201.61ovpnMaster ranges=192.168.201.237-192.168.201.238\r\n
add name=pool201.59ovpnMaster next-pool=pool201.60ovpnMaster ranges=192.168.201.233-192.168.201.234\r\n
add name=pool201.58ovpnMaster next-pool=pool201.59ovpnMaster ranges=192.168.201.229-192.168.201.230\r\n
add name=pool201.57ovpnMaster next-pool=pool201.58ovpnMaster ranges=192.168.201.225-192.168.201.226\r\n
add name=pool201.56ovpnMaster next-pool=pool201.57ovpnMaster ranges=192.168.201.221-192.168.201.222\r\n
add name=pool201.55ovpnMaster next-pool=pool201.56ovpnMaster ranges=192.168.201.217-192.168.201.218\r\n
add name=pool201.54ovpnMaster next-pool=pool201.55ovpnMaster ranges=192.168.201.213-192.168.201.214\r\n
add name=pool201.53ovpnMaster next-pool=pool201.54ovpnMaster ranges=192.168.201.209-192.168.201.210\r\n
add name=pool201.52ovpnMaster next-pool=pool201.53ovpnMaster ranges=192.168.201.205-192.168.201.206\r\n
add name=pool201.51ovpnMaster next-pool=pool201.52ovpnMaster ranges=192.168.201.201-192.168.201.202\r\n
add name=pool201.50ovpnMaster next-pool=pool201.51ovpnMaster ranges=192.168.201.197-192.168.201.198\r\n
add name=pool201.49ovpnMaster next-pool=pool201.50ovpnMaster ranges=192.168.201.193-192.168.201.194\r\n
add name=pool201.48ovpnMaster next-pool=pool201.49ovpnMaster ranges=192.168.201.189-192.168.201.190\r\n
add name=pool201.47ovpnMaster next-pool=pool201.48ovpnMaster ranges=192.168.201.185-192.168.201.186\r\n
add name=pool201.46ovpnMaster next-pool=pool201.47ovpnMaster ranges=192.168.201.181-192.168.201.182\r\n
add name=pool201.45ovpnMaster next-pool=pool201.46ovpnMaster ranges=192.168.201.177-192.168.201.178\r\n
add name=pool201.44ovpnMaster next-pool=pool201.45ovpnMaster ranges=192.168.201.173-192.168.201.174\r\n
add name=pool201.43ovpnMaster next-pool=pool201.44ovpnMaster ranges=192.168.201.169-192.168.201.170\r\n
add name=pool201.42ovpnMaster next-pool=pool201.43ovpnMaster ranges=192.168.201.165-192.168.201.166\r\n
add name=pool201.41ovpnMaster next-pool=pool201.42ovpnMaster ranges=192.168.201.161-192.168.201.162\r\n
add name=pool201.40ovpnMaster next-pool=pool201.41ovpnMaster ranges=192.168.201.157-192.168.201.158\r\n
add name=pool201.39ovpnMaster next-pool=pool201.40ovpnMaster ranges=192.168.201.153-192.168.201.154\r\n
add name=pool201.38ovpnMaster next-pool=pool201.39ovpnMaster ranges=192.168.201.149-192.168.201.150\r\n
add name=pool201.37ovpnMaster next-pool=pool201.38ovpnMaster ranges=192.168.201.145-192.168.201.146\r\n
add name=pool201.36ovpnMaster next-pool=pool201.37ovpnMaster ranges=192.168.201.141-192.168.201.142\r\n
add name=pool201.35ovpnMaster next-pool=pool201.36ovpnMaster ranges=192.168.201.137-192.168.201.138\r\n
add name=pool201.34ovpnMaster next-pool=pool201.35ovpnMaster ranges=192.168.201.133-192.168.201.134\r\n
add name=pool201.33ovpnMaster next-pool=pool201.34ovpnMaster ranges=192.168.201.129-192.168.201.130\r\n
add name=pool201.32ovpnMaster next-pool=pool201.33ovpnMaster ranges=192.168.201.125-192.168.201.126\r\n
add name=pool201.31ovpnMaster next-pool=pool201.32ovpnMaster ranges=192.168.201.121-192.168.201.122\r\n
add name=pool201.30ovpnMaster next-pool=pool201.31ovpnMaster ranges=192.168.201.117-192.168.201.118\r\n
add name=pool201.29ovpnMaster next-pool=pool201.30ovpnMaster ranges=192.168.201.113-192.168.201.114\r\n
add name=pool201.28ovpnMaster next-pool=pool201.29ovpnMaster ranges=192.168.201.109-192.168.201.110\r\n
add name=pool201.27ovpnMaster next-pool=pool201.28ovpnMaster ranges=192.168.201.105-192.168.201.106\r\n
add name=pool201.26ovpnMaster next-pool=pool201.27ovpnMaster ranges=192.168.201.101-192.168.201.102\r\n
add name=pool201.25ovpnMaster next-pool=pool201.26ovpnMaster ranges=192.168.201.97-192.168.201.98\r\n
add name=pool201.24ovpnMaster next-pool=pool201.25ovpnMaster ranges=192.168.201.93-192.168.201.94\r\n
add name=pool201.23ovpnMaster next-pool=pool201.24ovpnMaster ranges=192.168.201.89-192.168.201.90\r\n
add name=pool201.22ovpnMaster next-pool=pool201.23ovpnMaster ranges=192.168.201.85-192.168.201.86\r\n
add name=pool201.21ovpnMaster next-pool=pool201.22ovpnMaster ranges=192.168.201.81-192.168.201.82\r\n
add name=pool201.20ovpnMaster next-pool=pool201.21ovpnMaster ranges=192.168.201.77-192.168.201.78\r\n
add name=pool201.19ovpnMaster next-pool=pool201.20ovpnMaster ranges=192.168.201.73-192.168.201.74\r\n
add name=pool201.18ovpnMaster next-pool=pool201.19ovpnMaster ranges=192.168.201.69-192.168.201.70\r\n
add name=pool201.17ovpnMaster next-pool=pool201.18ovpnMaster ranges=192.168.201.65-192.168.201.66\r\n
add name=pool201.16ovpnMaster next-pool=pool201.17ovpnMaster ranges=192.168.201.61-192.168.201.62\r\n
add name=pool201.15ovpnMaster next-pool=pool201.16ovpnMaster ranges=192.168.201.57-192.168.201.58\r\n
add name=pool201.14ovpnMaster next-pool=pool201.15ovpnMaster ranges=192.168.201.53-192.168.201.54\r\n
add name=pool201.13ovpnMaster next-pool=pool201.14ovpnMaster ranges=192.168.201.49-192.168.201.50\r\n
add name=pool201.12ovpnMaster next-pool=pool201.13ovpnMaster ranges=192.168.201.45-192.168.201.46\r\n
add name=pool201.11ovpnMaster next-pool=pool201.12ovpnMaster ranges=192.168.201.41-192.168.201.42\r\n
add name=pool201.10ovpnMaster next-pool=pool201.11ovpnMaster ranges=192.168.201.37-192.168.201.38\r\n
add name=pool201.09ovpnMaster next-pool=pool201.10ovpnMaster ranges=192.168.201.33-192.168.201.34\r\n
add name=pool201.08ovpnMaster next-pool=pool201.09ovpnMaster ranges=192.168.201.29-192.168.201.30\r\n
add name=pool201.07ovpnMaster next-pool=pool201.08ovpnMaster ranges=192.168.201.25-192.168.201.26\r\n
add name=pool201.06ovpnMaster next-pool=pool201.07ovpnMaster ranges=192.168.201.21-192.168.201.22\r\n
add name=pool201.05ovpnMaster next-pool=pool201.06ovpnMaster ranges=192.168.201.17-192.168.201.18\r\n
add name=pool201.04ovpnMaster next-pool=pool201.05ovpnMaster ranges=192.168.201.13-192.168.201.14\r\n
add name=pool201.03ovpnMaster next-pool=pool201.04ovpnMaster ranges=192.168.201.9-192.168.201.10\r\n
add name=pool201.02ovpnMaster next-pool=pool201.03ovpnMaster ranges=192.168.201.5-192.168.201.6\r\n
add comment=\"Master-OpenVPN-Port\" name=pool201.01ovpnMaster next-pool=pool201.02ovpnMaster ranges=192.168.201.1-192.168.201.2\r\n"
/tool graphing interface
add allow-address=192.168.96.0/20
add allow-address=192.168.112.0/20
/tool graphing queue
add allow-address=192.168.112.0/20
add allow-address=192.168.112.0/20
/tool graphing resource
add allow-address=192.168.96.0/20
add allow-address=192.168.112.0/20
Code: Select all
11:14:41 caps,info 08:E6:XX:XX:XX:A8@cap5G-AP_Hall1_Rest connected, signal strength -86
11:14:41 firewall,info Not allowed! forward: in:bridge_LAN(E0-sfp_Uplink) out:bridge_LAN(E10_AP), src-mac 08:e6:XX:XX:XX:A8, proto UDP, 0.0.0.0:68->255.255.255.255:67, len 328
11:14:41 firewall,info Not allowed! forward: in:bridge_LAN(E0-sfp_Uplink) out:bridge_LAN(wlan13), src-mac 08:e6:XX:XX:XX:a8, proto UDP, 0.0.0.0:68->255.255.255.255:67, len 328
11:14:41 firewall,info Not allowed! forward: in:bridge_LAN(E0-sfp_Uplink) out:bridge_LAN(wlan6), src-mac 08:e6:XX:XX:XX:a8, proto UDP, 0.0.0.0:68->255.255.255.255:67, len 328
11:14:42 dhcp,info dhcp500 assigned 192.168.130.9 to 08:E6:XX:XX:XX:A8
But it doesn't matter where it comes from. As the config of E0 is
frame-types=admit-only-vlan-tagged ingress-filtering=yes it must have a vlan incoming. And the dhcp-server for VLAN500 on the input chain gives him the right IP:
And I can see, it just touches the wlan ports with vlan500:
(For all interested readers, who askes themselves "Where is wlan13 and wlan6? Don't see them in the config." -> They are dynamic ports from the capsman, he makes a few dynamic interfaces, and they just become numbers.)
See
/interface bridge VLAN:
Code: Select all
Flags: X - disabled, D - dynamic
# BRIDGE VLAN-IDS CURRENT-TAGGED CURRENT-UNTAGGED
0 bridge_LAN 100 bridge_LAN
E10_AP
E0-sfp_Uplink
wlan5G
wlan2G
1 bridge_LAN 200 bridge_LAN
E10_AP
E0-sfp_Uplink
wlan5
wlan14
2 bridge_LAN 500 bridge_LAN
E10_AP
E0-sfp_Uplink
wlan6
wlan13
3 bridge_LAN 800 bridge_LAN
E0-sfp_Uplink
4 bridge_LAN 900 bridge_LAN
E0-sfp_Uplink
Code: Select all
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload
# INTERFACE BRIDGE HW PVID PR PATH-COST INTERNA... HORIZON
0 E10_AP bridge_LAN yes 100 0x 10 10 none
1 E0-sfp_Uplink bridge_LAN yes 1 0x 10 10 none
2 I bond_1 bridge_LAN yes 100 0x 10 10 none
3 I bond_2 bridge_LAN yes 1 0x 10 10 none
4 I bond_Switch1 bridge_LAN yes 1 0x 10 10 none
5 I bond_Switch2 bridge_LAN yes 1 0x 10 10 none
6 D wlan5G bridge_LAN 100 0x 10 10 none
7 D wlan5 bridge_LAN 200 0x 10 10 none
8 D wlan6 bridge_LAN 500 0x 10 10 none
9 D wlan2G bridge_LAN 100 0x 10 10 none
10 D wlan13 bridge_LAN 500 0x 10 10 none
11 D wlan14 bridge_LAN 200 0x 10 10 none
So why doesn't this packet get an in:vlan500(E0-sfp_Uplink), just an in:bridge_LAN(E0-sfp_Uplink) ?!?
Now it is a really long posting with a long config, but hopefully all Informations are now in this posting. Splitting the config in two postings or skipping lines was a really bad idea, sorry.
Re: Filtering VLANs
As expected:
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
What is the idea behind this? Can you set both to the default no and try again?
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
What is the idea behind this? Can you set both to the default no and try again?
Re: Filtering VLANs
Code: Select all
use-ip-firewall-for-vlan=noI turned it on because in the next step of configuration I wanted to have queues for traffic in some vlans. I saw in the wiki: "To assign Simple Queues or global Queue Trees for VLAN or PPPoE traffic in a bridge you should enable appropriate properties as well." Ok, we didn't need to slow down traffic as there are nearly no guests because of COVID, so we have no queues for vlan yet.
The aim was to priorize vlan200 bevor vlan100 and the rest, so I thought about queues and read about the need to turn that on.
Re: Filtering VLANs [SOLVED]
You only need that if you want to prioritize the traffic at L2, i.e. while it being is bridged from one port to another. If there is a distinct subnet in each VLAN and it is enough to prioritize the traffic while routing it to/from the WAN (or between local subnets), you don't need use-ip-firewall-for-vlan=yes because the traffic will get to the IP firewall while being routed.